System and method for traversing a NAT device with IPSec AH authentication

ABSTRACT

A method for routing IP packets with IPSec AH authentication is disclosed. The method includes locating overlay edge routers between private domains and their associated NAT routers. Outbound packets from a source private domain are modified by its overlay edge router to include IPSec AH authorization data computed using IP source and destination addresses that match a packet&#39;s final source and destination IP address upon final NAT translation immediately prior to delivery to a host of a destination private domain.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of U.S. application Ser. No.15/583,984, filed May 1, 2017, which is a Continuation of U.S.application Ser. No. 13/966,281, filed Aug. 13, 2013, which areincorporated herein by reference.

FIELD

Embodiments of the present invention relate to network security.

BACKGROUND

Internet Protocol security (IPSec) is a protocol suite that providesmechanisms for authenticating and encrypting data flowing within anetwork such as a Virtual Private Network (VPN).

Authentication Header (AH) and Encapsulating Security Payload (ESP) arewire-level protocols provided by IPSec to authenticate (AH) and encrypt(ESP) data. AH may be used in tunnel mode or transport mode.

Transport mode provides a secure connection between two endpoints as itencapsulates the payload portion of Internet Protocol (IP) packets sentover the secure connection. With tunnel mode, the entire IP packet isencapsulated thereby to provide a virtual secure hop between the twoendpoints.

FIG. 1A shows the contents of an IP datagram 100 that has undergoneIPSec AH authentication to include an AH header. FIG. 1B shows thecomponents of the AH header 102 in greater detail. It will be seen thatthe AH Header 102 includes authentication data 104. The data 104 isusually a cryptographic hash-based message authentication code computedover nearly all fields of the original IP packet save for those that aremodified in transit. The fields modified in transit include TTL andheader checksum. FIG. 1 C shows the IP datagram 100 with the fields thatare protected by AH Authentication shaded. The data 104 carries anintegrity check value (ICV) which may be a MD5 or SHA-1 hash.

Network Address Translation (NAT) is a technology that is used to map arange of private addresses to and from a (usually) smaller set of publicaddresses. This reduces the demand for routable public IP space. NATdevices work by modifying IP headers associated with an IP datagram onthe fly. In particular the source and/or destination IP addresses arechanged. When a source or header IP address is changed, it forces arecalculation of the header checksum. This has to be done anyway,because the NAT device typically serves as one “hop” in the path fromsource to destination, and this requires the decrement of the TTL (TimeTo Live) field. However, as noted above since the TTL and headerchecksum fields are always modified in flight, AH knows to excludes themfrom coverage, but this does not apply to the IP addresses. These areincluded in the integrity check value, and any modification will causethe check to fail when verified by the recipient. FIG. 1D shows the IPdatagram 100 with the fields that are modified by NAT shaded and FIG. 1Eshows the IP datagram 100 with the fields that are broken by NAT shaded.

Because the ICV incorporates a secret key which is unknown byintermediate parties, the NAT router is not able to recalculate the ICV,making NAT incompatible with IPSec AH authentication.

SUMMARY

According to a first aspect of the invention, a method for routing IPpackets with IPSec AH authentication is disclosed. The method includeslocating overlay edge routers between private domains and theirassociated NAT routers. Outbound packets from a source private domainare modified by its overlay edge router to include IPSec AHauthorization data computed using IP source and destination addressesthat match a packet's final source and destination IP address upon finalNAT translation immediately prior to delivery to a host of a destinationprivate domain.

Other aspects of the invention will be apparent from the detaileddescription below.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1A shows the contents of a IP packet.

FIG. 1B shows the IPSec AH Header in greater detail.

FIG. 1C shows the fields of the IP packet that are protected by IPSec AHauthentications.

FIG. 1D shows the fields of the IP packet that are modified by a NetworkAddress Translation (NAT) device.

FIG. 1E shoes the fields of the IP packet that are broken by NAT.

FIG. 2A shows a network setup for transmitted packets from a Host A to aHost B across NAT devices.

FIG. 2B shows the network setup of FIG. 2A modified by the creation ofan overlay domain (OD) to facilitate packet transmission from the Host Ato the Host B with IPsec AH authentication across the NAT devices, inaccordance with one embodiment of the invention.

FIG. 3 shows steps by an overlay router to prepare an IP packet fromtransmission, in accordance with one embodiment of the invention.

FIG. 4 shows the fields of an IP packet as modified by the process ofFIG. 3.

FIG. 5 shows the steps in created an integrity check value (ICV) inaccordance with one embodiment of the invention.

FIG. 6 shows the IP datagram of FIG. 3 as modified by a router R2.

FIG. 7 shows a high-level block diagram for an overlay controller (OC),in accordance with one embodiment of the invention.

FIG. 8 shows a high-level block diagram of hardware for a router, inaccordance with one embodiment of the invention.

DETAILED DESCRIPTION

In the following description, for purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the invention. It will be apparent, however, to oneskilled in the art that the invention can be practiced without thesespecific details. In other instances, structures and devices are shownin block or flow diagram form only in order to avoid obscuring theinvention.

Reference in this specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment is included in at least one embodimentof the invention. The appearance of the phrase “in one embodiment” invarious places in the specification are not necessarily all referring tothe same embodiment, nor are separate or alternative embodimentsmutually exclusive of other embodiments. Moreover, various features aredescribed which may be exhibited by some embodiments and not by others.Similarly, various requirements are described which may be requirementsfor some embodiments but not other embodiments.

Moreover, although the following description contains many specifics forthe purposes of illustration, anyone skilled in the art will appreciatethat many variations and/or alterations to the details are within thescope of the present invention. Similarly, although many of the featuresof the present invention are described in terms of each other, or inconjunction with each other, one skilled in the art will appreciate thatmany of these features can be provided independently of other features.Accordingly, this description of the invention is set forth without anyloss of generality to, and without imposing limitations upon, theinvention.

Broadly, embodiments of the present invention teach extending IPSec AHAuthentication to NAT device so that IPSec AH authentication may be usedto protect IP packets that traverse a NAT device.

To understand embodiments of the invention, consider the network setup200 shown in FIG. 2 which will be used to illustrate how IP packets froma Host A within a private network 202 located behind a NAT router 204can be encrypted with IPSec AH authentication and delivered to Host Bwithin a private domain 206 located behind a NAT router 208 via anintermediate transport network 210 such as the Internet.

In one embodiment, an overlay domain is created to facilitate routingwith the network setup 200. The overlay domain may include a pluralityof overlay edge routers (OERs) each coupled to an overlay controller(OC). The overlay controller (OC) orchestrates secure overlay routingbased on defined policy and control logic. Communications between theoverlay controller (OC) and the overlay edge routers (OERs) arefacilitated by an overlay protocol (OP) which runs over secure DTLSconnections through a core transport network. Each overlay edge router(OER) is defines an edge not that is located at the boundary of theoverlay domain. All overlay edge routers (OERs) connect directly witheach other over the core transport network via IPSec tunnels.

FIG. 2A shows the network setup 200 with elements of the overlay domain.As will be seen said elements include overlay edge routers (OERs) R1,R2, and overlay controller (OC) 212. The overlay edge router (OER) R1 ispositioned between the Host A and the NAT router 204, whereas theoverlay edge router (OER) is positioned between the Host B and the NATrouter 208. In use, the router R1 learns the private IP address (IPA) ofthe Host A and communicates it to the overlay controller (OC) 212 viathe overlay protocol (OP). In a similar manner, the router R2 learns theprivate IPA of the Host B and communicates it to the overlay controller(OC) 212 via the overlay protocol (OP).

FIG. 3 is a workflow drawing showing the steps involved in thetransmission of IP packets from the Host A to the Host B, in accordancewith one embodiment based on the overlay domain shown in FIG. 2A. Thesteps is the workflow are performed by the router R1 Referring to FIG.3, the steps include the following processing blocks:

300: R1 receives an IP packet bound for a target host device (Host B)from a source host device (Host A).

302: R1 determines the private IPA of the last hop overlay edge router(R1). This is done via the overlay protocol (OP) wherein the overlaycontroller (OC) communicates the same to R1 via a DTLS control channelestablished through the network 210.

304: R1 calculates the authentication data based on the public IPaddress of R1 and the private IP address R2. This is illustrated in FIG.5 which shows the steps in produced the authentication data. Referringto FIG. 5 at block 500 the full IP packet with src IP address=public IPAof R1 and dst IP address=private IP address of R2 is received. At block502 a hash function is used to transform the full IP packet in a hashdigest or integrity check value (ICV) which is output at 504.

306: R1 adds the authentication data into the AH header portion of theIP Packet

308: R1 inserts the original IP and UDP headers into the IP packet. Thismeans that the private IPA of R1 is the source IP address and the publicIPA of R2 is the destination IP address as is shown in FIG. 4 whichshows the IP packet 100 as modified by R1

310: R1 transmits the IP packet.

When the packet arrives at R2 it would have been modified through NAT sothat its outer header will have the public IPA of R1 as the source andthe private IPA of R2 as the destination. This can be seen from FIG. 6,which shows the IP packet as modified by NAT and received at the Host B.Thus, when the Host B computes the ICV based on the packet contents itwould match the ICV computed at block 304.

FIG. 7 shows an example of hardware 700 that may be used to implementthe overlay controller (OC), in accordance with one embodiment. Thehardware 700 may includes at least one processor 702 coupled to a memory704. The processor 703 may represent one or more processors (e.g.,microprocessors), and the memory 704 may represent random access memory(RAM) devices comprising a main storage of the hardware, as well as anysupplemental levels of memory e.g., cache memories, non-volatile orback-up memories (e.g. programmable or flash memories), read-onlymemories, etc. In addition, the memory 704 may be considered to includememory storage physically located elsewhere in the hardware, e.g. anycache memory in the processor 702, as well as any storage capacity usedas a virtual memory, e.g., as stored on a mass storage device.

The hardware also typically receives a number of inputs and outputs forcommunicating information externally. For interface with a user oroperator, the hardware may include one or more user input output devices706 (e.g., a keyboard, mouse, etc.) and a display 708. For additionalstorage, the hardware 700 may also include one or more mass storagedevices 710, e.g., a Universal Serial Bus (USB) or other removable diskdrive, a hard disk drive, a Direct Access Storage Device (DASD), anoptical drive (e.g. a Compact Disk (CD) drive, a Digital Versatile Disk(DVD) drive, etc.) and/or a USB drive, among others. Furthermore, thehardware may include an interface with one or more networks 712 (e.g., alocal area network (LAN), a wide area network (WAN), a wireless network,and/or the Internet among others) to permit the communication ofinformation with other computers coupled to the networks. It should beappreciated that the hardware typically includes suitable analog and/ordigital interfaces between the processor 712 and each of the components,as is well known in the art.

The hardware 700 operates under the control of an operating system 714,and executes application software 716 which includes various computersoftware applications, components, programs, objects, modules, etc. toperform the techniques described above.

In general, the routines executed to implement the embodiments of theinvention, may be implemented as part of an operating system or aspecific application, component, program, object, module or sequence ofinstructions referred to as “computer programs.” The computer programstypically comprise one or more instructions set at various times invarious memory and storage devices in a computer, and that, when readand executed by one or more processors in a computer, cause the computerto perform operations necessary to execute elements involving thevarious aspects of the invention. Moreover, while the invention has beendescribed in the context of fully functioning computers and computersystems, those skilled in the art will appreciate that the variousembodiments of the invention are capable of being distributed as aprogram product in a variety of forms, and that the invention appliesequally regardless of the particular type of machine orcomputer-readable media used to actually effect the distribution.Examples of computer-readable media include but are not limited torecordable type media such as volatile and non-volatile memory devices,USB and other removable media, hard disk drives, optical disks (e.g.,Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks,(DVDs), etc.), flash drives among others.

FIG. 8 shows a block diagram of hardware 800 for routes R1 and R1, inaccordance with one embodiment of the invention. Referring to FIG. 8,the hardware 800 includes a routing chip 804 coupled to a forwardingchip 808. The routing chip 804 performs functions such as pathcomputations, routing table maintenance, and reachability propagation.Components of the routing chip include a CPU or processor 804, which iscoupled to a memory 806. The memory stores instructions to perform themethods disclosed herein. The forwarding chip is responsible for packetforwarding along a plurality of line interfaces 810

Although the present invention has been described with reference tospecific exemplary embodiments, it will be evident that the variousmodification and changes can be made to these embodiments withoutdeparting from the broader spirit of the invention. Accordingly, thespecification and drawings are to be regarded in an illustrative senserather than in a restrictive sense.

The invention claimed is:
 1. A method for processing an InternetProtocol (IP) packet, the method comprising: receiving, by a firstrouter within an overlay network, the IP packet from a source hostdevice associated with a source domain, the IP packet bound for adestination host device associated with a destination domain;determining, by the first router, a private IP address of a secondrouter within the overlay network, the second router being associatedwith the destination domain; calculating authentication data using apublic IP address of an intermediate router associated with the sourcedomain as a source IP address, and the private IP address of the secondrouter as a destination IP address; modifying the IP packet to includethe authentication data; generating an outer header for the modified IPpacket, the outer header including a private IP address of the firstrouter as a header source IP address, and the private IP address of thesecond router as a header destination IP address; and transmitting, bythe first router, the modified IP packet to the intermediate router. 2.The method of claim 1, further comprising establishing the overlaynetwork including the first router, the second router, and an overlaycontroller.
 3. The method of claim 2, wherein determining the private IPaddress of the second router includes receiving a message from theoverlay controller over a secure channel that includes the private IPaddress of the second router.
 4. The method of claim 2, furthercomprising obtaining the public IP address of the second router via apeer to peer link through the overlay network.
 5. The method of claim 2,further comprising transmitting a private address of the first router tothe overlay controller over a secure channel.
 6. The method of claim 2,further comprising receiving private IP addresses for all routers in theoverlay network from the overlay controller.
 7. The method of claim 1,wherein the intermediate router includes a Network Address Translation(NAT) router.
 8. A non-transitory computer readable medium containinginstructions that, in response to being executed by one or moreprocessors, cause a first router in an overlay network to performoperations, the operations comprising: receive an Internet Protocol (IP)packet from a source host device associated with a source domain, the IPpacket bound for a destination host device associated with a destinationdomain; determine a private IP address of a second router within theoverlay network, the second router being associated with the destinationdomain; calculate authentication data using a public IP address of anintermediate router associated with the source domain as a source IPaddress, and the private IP address of the second router as adestination IP address; modify the IP packet to include theauthentication data; generate an outer header for the modified IPpacket, the outer header including a private IP address of the firstrouter as a header source IP address, and the private IP address of thesecond router as a header destination IP address; and transmit themodified IP packet to the intermediate router.
 9. The computer readablemedium of claim 8, wherein determining the private IP address of thesecond router includes receiving a message from an overlay controllerover a secure channel that includes the private IP address of the secondrouter.
 10. The computer readable medium of claim 8, wherein theoperations further comprise obtain the public IP address of the secondrouter via a peer to peer link through the overlay network.
 11. Thecomputer readable medium of claim 8, wherein the operations furthercomprise transmit a private address of the first router to an overlaycontroller over a secure channel.
 12. The computer readable medium ofclaim 8, wherein the operations further comprise receive private IPaddresses for all routers in the overlay network from an overlaycontroller.
 13. A first router, comprising: one or more processors; andone or more non-transitory computer readable media containinginstructions that, in response to being executed by the one or moreprocessors, cause the first router to perform operations, the operationscomprising: receive an Internet Protocol (IP) packet from a source hostdevice associated with a source domain, the IP packet bound for adestination host device associated with a destination domain; determinea private IP address of a second router within the overlay network, thesecond router being associated with the destination domain; calculateauthentication data using a public IP address of an intermediate routerassociated with the source domain as a source IP address, and theprivate IP address of the second router as a destination IP address;modify the IP packet to include the authentication data; and generate anouter header for the modified IP packet, the outer header including aprivate IP address of the first router as a header source IP address,and the private IP address of the second router as a header destinationIP address; and transmit the modified IP packet to the intermediaterouter.
 14. The first router of claim 13, further comprising the firstrouter being configured to communicate with an overlay controller over afirst secure channel, wherein the overlay controller communicates withthe second router over a second secure channel.
 15. The first router ofclaim 14, wherein determining the private IP address of the secondrouter includes receiving a message from the overlay controller over asecure channel that includes the private IP address of the secondrouter.
 16. The first router of claim 14, wherein the operations furthercomprise obtain the public IP address of the second router via a peer topeer link through the overlay network.
 17. The first router of claim 14,wherein the operations further comprise transmit a private address ofthe first router to the overlay controller over the first securechannel.
 18. The first router of claim 14, wherein the operationsfurther comprise receive private IP addresses for all routers in theoverlay network from the overlay controller.
 19. The first router ofclaim 14, wherein the operations further comprise transmit a privateaddress of the first router to an overlay controller over a securechannel.
 20. The first router of claim 14, wherein the first securechannel includes a datagram transport layer security (DTLS) channel.